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(54) MEMORY CARD AND DATA DISTRIBUTION SYSTEM USING IT 



(57) A memory card (110) conducts an authentica- 
tion process with a server based on data stored in an 
authentication data hold unit (1400). The memory card 
(110) extracts a first session key (Ks1) from a server by 
a decryption process and a transaction ID from the data 
applied on a data bus (BS3). The memory card (110) 
generates a second session key (Ks2) through a ses- 
sion key generation unit (1418), and transmits to the 



server, as the keys to encrypt content data in receiving 
decryption of content data, the second session key 
(Ks2) and a key (KPm(1)) unique to the memory card 
(110) in an encrypted state with the first session key 
(Ks1). The transaction ID and the second session key 
(Ks2). stored in the log memory (1460) are used in the 
redistribution process. 
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Description 

Memory Card and Data Distribution System Using Such 
Memory Card 

Technical Field 

[0001] The present invention relates to a memory 
card that allows protection on copyrights with respect to 
copied information in an information distribution system 
to distribute information to terminals such as cellular 
phones, and a distribution system using such a memory 
card. 

Background Art 

[0002] By virtue of the progress in information com- 
munication networks and the like such as the Internet in 
these few years, each user can now easily access net- 
work information through individual-oriented tenninals 
employing a ceiiular phone or the like. 
[0003] In such information communication, informa- 
tion is transmitted through digital signals. It is now pos- 
sible to obtain copied music and video information trans- 
mitted via the aforementioned information communica- 
tion network without degradation in the audio quality and 
picture quality of the copy data, even in the case where 
the copy operation is performed by an individual user. 
[0004] Thus, there is a possibility of the copyright of 
the copyright owner being significantly infringed unless 
some appropriate measures to protect copyrights are 
taken when any content data subject to copyright pro- 
tection such as music and image information is to be 
transmitted on the information communication network. 
[0005] However, if copyright protection is given top 
priority so that distribution of content data through the 
disseminating digital information communication net- 
work is suppressed, the copyright owner who can es- 
sentially collect a predetermined copyright royalty for 
copies of a copyrighted work will also incur some dis- 
benefit. 

[0006] In the case where content data such as music 
data is distributed through a digital information commu- 
nication network as described above, each user will 
record the distributed data onto some recording appa- 
ratus, and then reproduce the data using a reproduction 
apparatus. 

[0007] Such' recording apparatuses include, for ex- 
ample, a medium that can have data written and erased 
electrically such as a memory card. 
[0008] As the apparatus to reproduce distributed mu- 
sic data, the cellular phone per se used to receive such 
data distribution can be employed, or when the record- 
ing apparatus such as a memory card is detachable 
from the apparatus that receives distribution, a dedicat- 
ed reproduction apparatus can be used, 
[0009] In the case where distribution of content data 
such as music data is to be received through a digital 



information communication network, particularly 
through a radio communication network, the communi- 
cation may be cutoff before the music data is completely 
distrtouted depending upon the state of the communi- 
s cation line. In the case where encrypted content data 
which is an encrypted version of content data is decrypt- 
ed and reproduction information required for reproduc- 
tion is to be distributed, any disruption in communication 
during distribution of the encrypted content data can be 
io mended by establishing connection again and continu- 
ing data reception. Since the accounting process to- 
wards the user is carried out simultaneously in distrib- 
uting reproduction information, the user will request re- 
transmission of the reproduction information after con- 
's nection is established again with respect to such dis- 
rupted communication. However, reproduction informa- 
tion should not be retransmitted incautiously in re- 
sponse to a request from the standpoint of protecting 
the rights of copyright owners. However, if retransmis- 
20 sion is not conducted, the user will not be able to obtain 
the reproduction information even though the account- 
ing process has been effected. 

Disclosure of the invention 

25 

[0010] An object of the present invention is to provide 
a data distribution system that can complete distribution 
of reproduction information even in the case where com- 
munication is disrupted before complete distribution of 
30 reproduction information by resuming communication 
upon protecting the rights of copyright owners, and a 
memory card used in such a data distribution system. 
[0011] A memory card of the present Invention to 
achieve the above object receives and records repro- 
35 duction information associated with reproduction of en- 
crypted content data, including a content key to decrypt 
the encrypted content data into plaintext, through acom- 
munication path. The memory card includes a data com- 
munication unit, a first storage unit, an information ex- 
40 traction unit, a second storage unit and a control unit. 
[0012] The data communication unit establishes a 
communication path with the transmission source of the 
reproduction information to receive the reproduction in- 
formation transmitted in an encrypted state. The first 
*5 storage unit stores data associated with the reproduc- 
tion information applied from the data communication 
unit. The information extraction unit carries out the proc- 
ess of storing the data associated with the reproduction 
information from the data communication unit into the 
so first storage unit, and extracting reproduction informa- 
tion based on data stored in the first storage unit. The 
second storage unit records a reception log indicating 
the processing status of the reproduction information 
transmission process. The control unit controis the op- 
55 eration of the memory card. The control unit controls 
transmission of the reception log to the transmission 
source in response to a request. 
[0013] Preferably, the data communication unit in- 
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eludes a first key hold unit, a first decryption processing 
unit, a second key hold unit, a key generation unit, a first 
encryption processing unit, and a second decryption 
processing unit. The first key hold unit stores a first se- 
cret encryption key to decrypt data that is encrypted us- 
ing a predetermined first public encryption key corre- 
sponding to a memory card. The first decryption 
processing unit receives and decrypts a first symmetric 
key that is updated and transmitted for each communi- 
cation of the reproduction information, and encrypted 
using the first public encryption key. The second key 
hold unit stores a second public encryption key differing 
for each memory card. The key generation unit gener- 
ates a second symmetric key updated for each commu- 
nication of the reproduction information. The first en- 
cryption processing unit encrypts the second public en- 
cryption key and second symmetric key based on the 
first symmetric key for output. The second decryption 
processing unit receives reproduction information en- 
crypted with the second public encryption key and fur- 
ther encrypted with a second symmetric key, and de- 
crypts the reproduction information based on the sec- 
ond symmetric key. The first storage unit stores data 
based on the output of the second decryption process- 
ing unit. The information extraction unit includes a third 
key hold unit and a third decryption processing unit. The 
third key hold unit stores a second private decryption 
key to decrypt data encrypted by the second public en- 
cryption key. The third decryption processing unit car- 
ries out a decryption process for the second private de- 
cryption key in the procedure from the process of storing 
data associated with reproduction information into the 
first storage unit to the process of extracting reproduc- 
tion information. 

[0014] According to another aspect of the present in- 
vention, a data distribution system includes a content 
data supply apparatus and a plurality of terminals. 
[0015] The content data supply apparatus supplies 
encrypted content data, and reproduction information 
including a content key which is a decryption key asso- 
ciated with reproduction of encrypted content data and 
used to decrypt the encrypted content data into plain- 
text. The content data supply apparatus includes a dis- 
tribution information hold unit, afirst interface unit, a first 
session key generation unit, a session key encryption 
unit, a session key decryption unit, a first license data 
encryption processing unit, a second license data en- 
cryption processing unit, and a distribution log informa- 
tion hold unit. The distribution information hold unit 
stores content data and reproduction information. The 
first interface unit transmits/receives data to/from an ex- 
ternal source. The first session key generation unit gen- 
erates a first symmetric key updated for each distribu- 
tion of reproduction information to a terminal. The ses- 
sion key encryption unit encrypts and provides to the 
first interface unit afirst symmetric key using a first pub- 
lic encryption key predefined corresponding to a user's 
terminal. The session key decryption unit decrypts the 



second public encryption key and second symmetric 
key transmitted in an encrypted state by a first symmet- 
ric key. The first license data encryption processing unit 
encrypts reproduction information to reproduce encrypt- 

s ed content data using a second public encryption key 
encrypted by a session key decryption unit. The second 
license data encryption processing unit encrypts the 
output of thefirst license data encryption processing unit 
using a second symmetric key, and applies the encrypt- 

io ed output to the first interface unit for distribution. The 
distribution log information hold unit records a distribu- 
tion log indicating the processing status of the current 
distribution process. The plurality of terminals receive 
distribution through a communication path fromthecon- 

15 tent data supply apparatus, and correspond to a plurality 
of users, respectively. Each terminal includes a second 
interface unit, a reception control unit, and a data stor- 
age unit. The second interface unit transmits/receives 
data to/from an external source. The reception control 

20 unit controls the data transfer with an external source. 
The data storage unit receives and stores encrypted 
content data and reproduction information. The data 
storage unit includes a first key hold unit, a first decryp- 
tion processing unit, a second key hold unit, a key gen- 

2s eration unit, a first encryption processing unit, a second 
decryption processing unit, a first storage unit, a third 
key hold unit, a third decryption processing unit, and a 
second storage unit. The first key hold unit stores a first 
secret encryption key to decrypt data that Is encrypted 

30 with a predetermined first public encryption key corre- 
sponding to the data storage unit. The first decryption 
processing unit receives a first symmetric key that Is up- 
dated and distributed for each communication of the re- 
production information, and encrypted using the first 

35 public encryption key, and applies a decryption process. 
The second key hold unit stores a second public encryp- 
tion key differing for each data storage unit. The key 
generation unit generates a second symmetric key up- 
dated for each communication of the reproduction infor- 

40 mation. The first encryption processing unit encrypts 
and outputs the second public encryption key and sec- 
ond symmetric key based on the first symmetric key. 
The second decryption processing unit receives repro- 
duction information encrypted with the second public 

45 encryption key and further encrypted with the second 
symmetric key, and decrypts the reproduction informa- 
tion based on the second symmetric key. The first stor- 
age unit stores data based on the output of the second 
decryption processing unit. The third key hold unit stores 

so asecond private decryption key to decrypt data encrypt- 
ed with the second public encryption key. The third de- 
cryption processing unit applies a decryption process for 
the second private decryption key in the procedure of 
the process of storing data associated with reproduction 

55 information to the first storage unit to the process of ex- 
tracting reproduction information. The second storage 
unit records a reception log indicating the processing 
status in the distribution process of encrypted content 
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data and reproduction information. The reception con- 
trol unit controls the redistribution process based on the 
reception log when the communication path is cut off 
during a distribution process. 

[0016] Boththeserverandmemorycardstorethedis- s 
tribution history and distribution status In a distribution 
system using the data reproduction apparatus and a 
memory card employed in the distribution system of the 
present invention. Therefore, information can be re- 
transmitted by resuming communication even in the *o 
case where communication is disrupted during distribu- 
tion. The reliability of the distribution process can be im- 
proved. 

Brief Description of the Drawings '5 
[0017] 

Fig. 1 is a diagram to schematically describe an en- 
tire structure of a data distribution system of the 20 
present invention. 

Fig. 2 is a diagram to describe the characteristics 
of data and information used in communication in 
the data distribution system of Fig. 1 . 
Fig. 3 is a schematic block diagram showing a struc- 25 
ture of a license server 1 0. 
Fig, 4 is a schematic block diagram showing a struc- 
ture of a cellular phone 100. 
Fig, 5 is a schematic block diagram showing a struc- 
ture of a memory card 110. so 
Fig, 6 is a first flow chart to describe a distribution 
operation in the data distribution system of a first 
embodiment. 

Fig. 7 is a second flow chart to describe a distribu- 
tion operation in the data distribution system of the 35 
first embodiment. 

Fig, 8 is a third flow chart to describe a distribution 
operation in the data distribution system of the first 
embodiment. 

Fig, 9 is a flow chart to describe a reconnection 
process. 

Fig. 10 is a first flow chart to describe a second re- 
connection operation of the data distribution system 
according to the first embodiment. 
Fig. 1 1 is a second flow chart to describe a second <*5 
reconnection operation of the data distribution sys- 
tem according to the first embodiment, 
Fig. 12 is a third flow chart to describe a second 
reconnection operation of the data distribution sys- 
tem according to the first embodiment. so 
Fig. 1 3 is a flow chart to describe a third reconnec- 
tion operation of the data distribution system ac- 
cording to the first embodiment. 
Fig. 14 is a flow chart to describe a reconnection 
process. 55 
Fig. 1 5 is a first flow chart to describe a distribution 
operation in the event of purchasing content in the 
data distribution system according to a second em- 



bodiment 

Fig. 1 6 is a second flow chart to describe a distribu- 
tion operation in the event of purchasing content in 
the data distribution system according to the sec- 
ond embodiment. 

Fig. 1 7 is a third flow chart to describe a distribution 
operation in the event of purchasing content in the 
data distribution system according to the second 
embodiment. 

Fig. 1 8 is a first fiow chart to describe a second re- 
connection operation of the data distribution system 
of the second embodiment. 
Fig. 1 9 is a second flow chart to describe a second 
reconnection operation of the data distribution sys- 
tem of the second embodiment. 
Fig. 20 is a third flow chart to describe a second 
reconnection operation of the data distribution sys- 
tem of the second embodiment. 
Fig. 21 is a first flow chart to describe a second re- 
connection operation of the data distribution system 
according to a third embodiment of the present in- 
vention. 

Fig. 22 is a second flow chart to describe a second 
reconnection operation of the data distribution sys- 
tem according to the third embodiment of the 
present invention. 

Fig. 23 is a third flow chart to describe a second 
reconnection operation of the data distribution sys- 
tem according to the third embodiment of the 
present invention. 

Fig. 24 is a fourth flow chart to describe a second 
reconnection operation of the data distribution sys- 
tem according to the third embodiment of the 
present invention. 

Best Modes for Carrying Out the Invention 

[0018] Embodiments of the present invention will be 
described hereinafter with reference to the drawings. 

[First Embodiment] 

[0019] Fig. 1 is a diagram to describe schematically 
an entire structure of the data distribution system of the 
present invention. 

[0020] In the following, a data distribution system dis- 
tributing music data to each user via a cellular phone 
network will be described as an example. However, as 
will become apparent from the following description, the 
present invention is not limited to such a case. The 
present invention is applicable to distribute content data 
corresponding to other copyrighted works such as book 
telling data, image data, video data, educational data, 
and the like, and further applicable to the case of dis- 
tributing through other digital information communica- 
tion networks. 

[0021] Referring to Fig. 1 , a license server 1 0 admin- 
istrating copyrighted music data encrypts music data 
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(also called "content data" hereinafter) according to a 
predetermined encryption scheme, and provides such 
encrypted content data to a cellular phone company 
which is a distribution carrier 20 to distribute information. 
An authentication server 12 challenges the authenticity 
of the user's apparatus establishing access for distribu- 
tion of content data. 

[0022] Cellular phone company 20 relays a distribu- 
tion request from each user to license server 10 through 
its own cellular phone network. In response to a distri- 
bution request, license server 1 0verifiesthe authenticity 
of the user's apparatus through authentication server 
1 2, and distributes content data to respective user's cel- 
lular phone via the cellular phone network of cellular 
phone company 20 after the requested music data has 
been further encrypted. 

[0023] Fig. 1 corresponds to a structure in which a de- 
tachable memory card 110 is loaded in a cellular phone 
1 00 of a user 1 . Memory card 1 1 0 receives the encrypt- 
ed content data through cellular phone 1 00 and applies 
decryption on the above encryption, and then provides 
the decrypted data to the music reproduction unit {not 
shown) in cellular phone 100. 
[0024] User 1 , for example, can "reproduce" the mu- 
sic data to listen to the music via a headphone 130 or 
the tike connected to celiular phone 1 00. 
[0025] License server 10, authentication server 12, 
and distribution carrier (cellular phone company) 20 will 
genetically be referred to as a distribution server 30 
hereinafter. 

[0026] The process of transmitting content data to 
each cellular phone or the like from distribution server 
30 is called "distribution". 

[0027] By such a structure, any user that has not pur- 
chased a memory card 110 cannot receive and repro- 
duce distribution data from distribution server 30. 
[0028] By taking count of the number of times content 
data of, for example, one song, is distributed in distribu- 
tion carrier 20, the copyright royalty fee induced every 
time a user receives (downloads) content data can be 
collected by distribution carrier 20 in the form of tele- 
phone bills of respective cellular phones. Thus, the roy- 
alty fee of the copyright owner can be ensured. 
[0029] Furthermore, since such content data distribu- 
tion is conducted through a celluiar phone network, 
which is a closed system, there is the advantage that 
measures to protect copyrights can be taken more eas- 
ily than compared to an open system such as the Inter- 
net. 

[0030] Here, a user 2 possessing a memory card 112, 
for example, can directly receive distribution of content 
data from distribution server 30 through his/her own cel- 
lular phone 102. However, direct reception of content 
data or the like from music server 30 is relatively time 
consuming for user 2 since the content data includes a 
large amount of information. In such a case, it will be 
convenient for the user if content data can be copied 
from user 1 that has already received distribution of that 



content data. 

[0031] However, from the standpoint of protecting the 
rights of copyright owners, unscrupulous copying of 
content data is not allowed on the basis of system con- 

5 figuration. 

[0032] As shown in Fig. 1 , the act of letting a user 2 
copy the content data received by user 1 , and transfer- 
ring together the reproduction information to render the 
relevant content data reproducible to user 2 is called 

10 "transfer" of music data. In this case, the encrypted con- 
tent and reproduction information required for reproduc- 
tion are transf erred between memory cards 110 and 112 
through cellular phones 100 and 102. As will be de- 
scribed afterwards, "reproduction information" includes 

*s a license key that allows decryption of content data en- 
crypted according to a predetermined encryption 
scheme, and license information such as information of 
restriction as to access reproduction and a license ID 
corresponding to information related to copyright pro- 

20 tection. 

[0033] In contrast, the act of copying only content data 
without transferring reproduction information is calied 
"replicate". Since reproduction information is not trans- 
ferred in replication, the user receiving this replication 

25 can render the data reproducible by requesting distribu- 
tion of only the reproduction information. Accordingly, 
distribution of a significant amount of data can be elim- 
inated in the distribution of content data, 
[0034] By such a structure, the content data dlstribut- 

30 ed by the distribution server can be used flexibly at the 
reception side. 

[0035] In the case where cellular phones 100 and 102 
are PHSs (Personal Handy Phones), information can be 
transferred between user 1 and user2 taking advantage 
35 of conversation in the so-called available transceiver 
mode. 

[0036] In the structure shown in Fig. 1 , the system to 
renderthe content data distributed in an encrypted man- 
ner reproducible at the user side requires: 1 ) the scheme 
40 to distribute an encryption key in communication, 2) the 
scheme pe r se to encrypt distrib ution data, an d 3) a con - 
figuration realizing data protection to prevent unauthor- 
ized copying of the distributed data. 
[0037] In the embodiment of the present invention, a 
45 distribution system that records and stores the status 
and history of distribution at both the information trans- 
mission side and reception side, and that allows retrans- 
mission of information by resuming communication 
even when communication is disrupted during distribu- 
te tion to improve reliability of the distribution process will 
be described. 

[System Key and Data Configuration] 

55 [0038] Fig. 2 is a diagram to describe the character- 
istics of the keys associated with encryption used in 
communication and data to be distributed in the data dis- 
tribution system of Fig. 1 . 
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[0039] The data "Data" distributed by distribution 
server 30 is content data such as music data. The con- 
tent data is distributed to a user from distribution server 
30 in the form of encrypted content data {DataJKc sub- 
ject to encryption that can be decrypted using at least a 
license key Kc. 

[0040] In the following, the expression of {Y}X implies 
Information having data Y converted into encryption that 
can be decrypted using a key X. 
[0041 ] From the distribution server are distributed ad- 
ditional information Data-inf in plaintext such as the in- 
formation related to content data or related to server ac- 
cess and the like, together with the content data. Spe- 
cifically, additional information Data-inf includes infor- 
mation to identify the content data such as the song titie 
or the name of the artist and to identify distribution server 
30. 

[0042] Keys related to the encryption, decryption and 
reproduction process of content data as well as to au- 
thentication of a cellular phone which is the content re- 
production circuit and a memory card which is a record- 
ing apparatus are set forth below. 
[0043] As mentioned before, there are provided a li- 
cense key Kc used to decrypt encrypted content data, 
a public encryption key KPp{n) unique to the content re- 
production circuit (cellular phone 100), and a public en- 
cryption key KPmc(m) unique to a memory card. 
[0044] Data encrypted using public encryption keys 
KPp(n} and KPmc(m) can be decrypted respectively us- 
ing a secret encryption key Kp(n) unique to the content 
reproduction circuit (cellular phone 100) and a private 
decryption key Kmc(m) unique to the memory card. 
These unique private decryption keys having different 
contents for each type of cellular phone and each type 
of memory card. Here the type of cellular phone and 
memory card is defined based on the manufacturer 
thereof, the fabrication time (fabrication lot) and the like. 
The unit assigned to the public secret key and private 
decryption key is referredto as "class." Natural numbers 
m,n represent the numbers to discriminate the class of 
each memory card and content reproduction circuit (cel- 
lular phone). 

[0045] Keys operated common to the entire distribu- 
tion system include a secret common key Kcom used in 
obtaining license key Kc and restriction information for 
the reproduction circuit that will be described after- 
wards, and an authentication key KPma. Secret com- 
mon key Kcom is stored at both the distribution sever 
and the cellular phone. 

[0046] Public encryption keys KPmc(m) and KPp(n) 
specified for each memory card and content reproduc- 
tion circuit can have their authenticity verified by de- 
crypting with authentication key KPma. More specifical- 
ly, they are recorded in respective memory cards and 
cellular phones at the time of shipment in the form of 
authentication data {KPmc(m)}KPma and {KPp(n)}KP- 
ma subject to the authentication process. 
[0047] Secret common key Kcom is not restricted to 



be in the symmetric key cryptosystem. It can be re- 
placed with the private decryption key or public encryp- 
tion key KPcom in the public key cryptosystem. In this 
case, private key Kcom and public key KPcom are held 

5 in cellular phone 1 00 and distribution server 30, respec- 
tively, as secret common key. 
[0048] Information to control the operation of the ap- 
paratus constituting the system, i.e. cellular phone 100 
■ which is a content reproduction circuit and memory card 

10 no, includes purchase condition information AC trans- 
mitted from cellular phone 1 00 to distribution server 30 
when a user purchases a license key or the iike for the 
purpose of specifying the purchase condition, access 
restriction information AC1 distributed from distribution 

's server 30 towards memory card 110 according to pur- 
chase condition information AC, indicating the number 
of times of accessing license key Kc for reproduction 
(reproduction permitted times), the number of replicates 
and transfer of license key Kc, and restriction as to copy 

20 and transfer, and reproduction circuit restriction informa- 
tion AC2 distributed from distribution server 30 to mem- 
ory card 1 1 0, indicating restriction as to the reproduction 
condition of the content reproduction circuit, loaded in 
cellularphone 1 00. The reproduction condition of the re- 

25 production circuit implies the condition, for example, of 
allowing reproduction of only the beginning of each con- 
tent data for a predetermined time such as in the case 
where a sample is distributed at iow price or freely to 
promote a new song, the reproduction period and the 

30 like. 

[0049] The keys to administer data processing in 
memory card 1 00 includes a public encryption key KPm 
(i) (i: natural number) specified for each memory card, 
anda private decryption key Krn(i) uniqueto each mem- 

35 ory card that can decrypt data encrypted with public en- 
cryption key KPm(i). Here, natural number i represents 
a number to discriminate each memory card. 
[0050] In the data distribution system of Fig. 1 , keys 
used in data communication are set forth below. 

40 [0051 ] The key to ensure security during data transfer 
with an external source to the memory card or between 
memory cards includes symmetric keys Ks1-Ks4 gen- 
erated at server 30, cellular phone 100 or 102, and 
memory card 110 or 112 every time content data distri- 

45 bution, reproduction or transfer is carried out. 

[0052] Here, symmetric keys Ks1-Ks4 are unique 
symmetric keys generated for each "session" which is 
the access unit or communication unit among the server, 
content reproduction circuit or memory card,. In the fol- 

so lowing, these symmetric keys Ks1-Ks4 are also called 
"session keys". 

[0053] These session keys Ks1-Ks4 have a unique 
value for each communication session, and is under 
control of the distribution server, content reproduction 
ss circuit and memory card. 

[0054] More specifically, a session key Ks1 is gener- 
ated for each distribution session by distribution server 
30. A session key Ks2 is generated for each distribution 
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session and transfer (reception side) session of a mem- 
ory card. Session key Ks3 is generated for each repro- 
duction session and transfer (transmission side) ses- 
sion in a memory card. A session key Ks4 is generated 
for each reproduction session of the cellular phone. The 
level of security can be improved in each session by 
transferring the session keys and receiving a session 
key generated by another apparatus to perform encryp- 
tion using the session keys and transmitting the license 
decryption key. 

[0055] Data transferred with a distribution server in- 
cludes a content ID for the system to identify each con- 
tent data, and a transaction ID which is a code generat- 
ed for each distribution session to identify each distribu- 
tion session. It is to be noted that the license ID and 
transaction ID can be shared. 
[0056] The license ID, content ID and access restric- 
tion information AC1 are genericaily referred to as li- 
cense information. This license information, license key 
Kc and reproduction circuit restriction information AC2 
are genericaily referred to as reproduction information. 

[Configuration of License Server 10] 

[0057] Fig. 4 is a schematic block diagram showing a 
structure of license server 1 0 of Fig. 1 . 
[0058] License server 10 includes an information da- 
tabase 304 to store content data encrypted according 
to a predetermined scheme as well as distribution infor- 
mation such as a license ID, an account database 302 
to store accounting data according to the start of access 
to content data for each user, a log administration data- 
base 306 to store log information of the license server, 
a data processing unit 31 0 receiving data through a data 
bus BS1 from information database 304, accounting da- 
tabase 302 and log administration database 306 to ap- 
ply a predetermined process, and a communication de- 
vice 350 to transfer data between distribution carrier 20 
and data processing unit 310 via the communication 
network. 

[0059] "License distribution log" indicating the distri- 
bution history of the license information stored in log ad- 
ministration database 308 includes the transaction ID, 
content ID, public encryption key KPmc(n), KPp(n), ac- 
cess restriction information AC1 , reproduction circuit re- 
striction information AC2, public encryption key KPm(i), 
session key Ks2, and an accounting status flag. The ac- 
counting status flag indicates whether the accounting 
process for the currently-distributed content data has al- 
ready ended or not. 

[0060] Data processing unit 310 includes a distribu- 
tion control unit 315 to control the operation of data 
processing unit 310 according to the data on data bus 
BS1, a session key generation unit 316 to generate a 
session key Ks1 in a distribution session, under control 
of distribution control unit 315, a decryption processing 
unit 312 receiving through communication device 350 
and data bus BS1 authentication data {KPmc(n)}KPma 



and {KPp(n)}KPma sent from a memory card and a cel- 
lular phone to apply a decryption process on authenti- 
cation key KPma, an encryption processing unit31 8 en- 
crypting session key Ks1 generated by session keygen- 

5 eration unit 316 using public encryption key KPmc(m) 
obtained by decryption processing unit 312 to provide 
the encrypted key onto data bus BS1 , and a decryption 
processing unit 320 receiving through data bus BS1 the 
data encrypted with session key Ks1 and transmitted by 

'0 each user, 

[0061] Data processing unit 310 further includes a 
Kcom hold unit 322 storing secret common key Kcom, 
an encryption processing unit 324 encrypting license 
key Kc and reproduction circuit restriction information 

is AC2 applied from distribution control unit 315 using se- 
cret common key Kcom, an encryption processing unit 
326 to encrypt the data output from encryption process- 
ing unit 324 using a public encryption key KPm(i) unique 
to the memory card obtained from decryption process- 

20 jng unit 320, and an encryption processing unit 328 fur- 
ther encrypting the output of encryption processing unit 
326 using a session key Ks2 applied from decryption 
processing unit 320 to provide the encrypted key onto 
data bus BS1 . 

25 [0062] In the case where secret common key Kcom 
is the key of an asymmetric public key cryptosystem, 
Kcom hold unit 322 stores public key Kpcom, which is 
the encryption key in the public key cryptosystem, in- 
stead of secret common key Kcom in the symmetric key 

30 cryptosystem. 

[Configuration of Cellular Phone 100] 

[0063] Fig. 4 is a schematic block diagram to describe 

35 a structure of a cellular phone 1 00 of Fig, 1 . 

[0064] In cellular phone 100, the natural number n 
representing the class is set to n = 1 . 
[0065] Cellular phone 100 includes an antenna 1102 
to receive a signal transmitted through radio by a cellular 

40 phone network, a transmitter/receiver unit 11 04 convert- 
ing the signal received from antenna 1102 into a base 
band signal, or modulating and providing to antenna 
1102 the data from a cellular phone, a data bus BS2 to 
transfer data between respective components of cellular 

45 phone 1 00, and a controller 1 1 08 to control the operation 
of cellular phone 100 via data bus BS2. 
[0066] Cellular phone 100 further includes a key 
board 1108 to apply designation to cellular phone 100 
from an external source, a display 111 0 to apply the in- 

so formation output from controller 1 1 06 or the like to the 
user as visual information, an audio reproduction unit 
1112 reproducing audio based on reception data provid- 
edviadatabus BS2 in a general conversation operation, 
a connector 1120 to transfer data with an external 

55 source, and an external interface unit 11 22 providing the 
data from connector 1120 to data bus BS2 for conver- 
sion, or to convert the data from data bus BS2 into a 
signal that can be applied to connector 1120. 
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[0067] Cellular phone further includes a detachable 
memory card 110 storing content data (music data) for 
a decryption process, a memory interface 1200 to con- 
trol data transfer between memory card 110 and data 
bus BS2, and an authentication data hold unit 1 500 stor- 
ing a public encryption key KPp(1) set for each cellular 
phone class in an encrypted state that can be authenti- 
cated by decryption using authentication key KPma. 
[0068] Cellular phone 1 00 further includes a Kp hold 
unit 1502 storing private decryption key Kp(n) (n=1) 
which is a encryption key unique to the ceilular phone 
(content reproduction circuit) class, a decryption 
processing unit 1504 decrypting the data received from 
data bus BS2 using private decryption key Kp(1), and 
obtaining session key Ks3 generated by the memory 
card, a session key generation unit 1508 generating us- 
ing a random number a session key Ks4usedto encrypt 
data transferred on data bus BS2 with memory card 1 1 0 
in a session of reproducing content data stored in mem- 
ory card 110, an encryption processing unit 1506 en- 
crypting generated session key Ks4 using a session key 
Ks3 obtained by decryption processing unit 1504, and 
a decryption processing unit 1510 decrypting the data 
on data bus BS2 using session key Ks4 to output data 
{Kc//AC2}Kcom. 

[0069] Cellular phone 100 further includes a Kcom 
hold unit 1512 storing a secret common key Kcom, a 
decryption processing unit 1514 decrypting data {Kc// 
AC2}Kcom output from decryption processing unit 1 51 0 
using secret common key Kcom to output license key 
Kc and reproduction circuit restriction information AC2, 
a decryption processing unit 1516 receiving encrypted 
content data {DataJKc from data bus 8S2 to decrypt the 
data using license key Kc obtained by decryption 
processing unit 1 51 0 to output content data Data, a mu- 
sic reproduction unit 1518 to receive content data Data 
which is the output of decryption processing unit 1516 
to reproduce content data, a switch unit 1525 receiving 
the outputs of music reproduction unit 1518 and audio 
reproduction unit 1112 to selectively provide an output 
according to the operation mode, and a connection ter- 
minal 1530 receiving the output of mixer unit 1525 for 
connection to headphone 130. 
[0070] Here, reproduction circuit restriction informa- 
tion AC2 output from decryption processing unit 151 4 is 
applied to controller 1106 via data bus BS2. 
[0071] In Fig. 4, only the blocks associated with dis- 
tribution and reproduction of music data among the 
blocks forming the celiufar phone are illustrated for the 
sake of simplification. Blocks related to the general con- 
versation function inherent to a cellular phone are left 
out. 

[Configuration of Memory Card 110] 

[0072] Fig. 5 is a schematic block diagram to describe 

a structure of memory card 110 of Fig. 1. 

[0073] As described before, public encryption key 



KPm(i) and a corresponding private decryption key Km 
(i) take unique values for each memory card. In memory 
card 11 0, it is assumed that the natural number is set to 
1 = 1. Also, KPmc(m) and Kmc(m) are set as the public 
5 encryption key and secret encryption key unique to the 
class of the memory card. In memory card 110, It is as- 
sumed that the natural number m is represented as m 
= 1. 

[0074] Memory card 110 includes an authentication 

to data hold unit 1 400 to store authentication data {KPmc 
{1)}KPma, a Kmc hold unit 1402 storing a unique de- 
cryption key Kmc(1) set for each memory card class, a 
KPm(1) hofd unit 1416 to store a unique public encryp- 
tion key KPm(1) set for each memory card, and a Km 

*s (1 ) hold unit 1 42 1 storing an asymmetric private decryp- 
tion key Km(1) that can be decrypted using public en- 
cryption key KPm{1 ). Here, authentication data hold unit 
1400 encrypts and stores public encryption key KPmc 
(1 ) set for each memory card class using authentication 

20 Key KPma in an authenticalable state. Authentication 
data hold unit 1400 encrypts and stores public encryp- 
tion key KPmc(1) set for each memory card class in a 
state that can have the authenticity verified by decryp- 
tion using authentication key KPma. 

25 [0075] Memory card 110 further includes a data bus 
BS3 to transfer a signal with memory interface 1200 via 
a terminal 1202, a decryption processing unit 1404 re- 
ceiving the data applied from memory interface 1200 on- 
to data bus BS3, and receiving a private decryption key 

30 Kmc(1) unique to each memory card class from Kmc(1 ) 
hold unft 1402, and providing session key Ks3 generat- 
ed by the distribution server in a distribution session to 
contact Pa, a decryption processing unit 1408 receiving 
authentication key KPma from KPma hold unit 1443 to 

35 execute a decryption process using authentication key 
KPma from the data applied on data bus BS3 and pro- 
viding the decrypted result to encryption processing unit 
1410, and an encryption processing unit 1406 encrypt- 
ing data selectively applied from switch 1444 using a 

40 key selectively applied by switch 1442, and providing 
the encrypted data onto data bus BS3. 
[0076] Memory card 110 further includes a session 
key generation unit 1418 generating a session key at 
each distribution, reproduction and transfer session, an 

*5 encryption processing unit 141 0 encrypting the session 
key output from session key generation unit 1418 using 
public encryption key KPp(n) obtained by encryption 
processing unit 1408 to output the encrypted key onto 
data bus BS3, and a decryption processing unit 1412 

so receiving encrypted data on data bus BS3 to apply a 
decryption process using session key Ks3 obtained by 
session key generation unit 1418, and providing the de- 
crypted result to data bus BS4. 
[0077] Memory card 110 further includes an encryp- 
ts tion processing unit 1424 encrypting the data on data 
bus BS4 using a public encryption key KPm(i) (i is 1 or 
number] of another memory card) unique to the memory 
card, a decryption processing unit 1422 to decrypt the 
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data on data bus BS4 using a secret encryption key Km 
(1) unique to memory card 110 that is the companion to 
public encryption key KPm(1), and a memory 1415 re- 
ceiving and storing from data bus BS4 a portion of the 
reproduction information encrypted with public encryp- 
tion key KPm(1) (content decryption key Kc, content ID, 
license ID access control information AC1 , reproduction 
circuit control information AC2),asweil as receiving and 
storing encrypted content data {Data}Kc. 
[0078] Memory card 110 further includes a license in- 
formation hold unit 1440 storing license information ob- 
tained by decryption processing unit 1422 ( transaction 
ID, content ID and access restriction information AC1), 
a log memory 1 460 to store the log of the transmission/ 
reception of the reproduction information in the memory 
card, and a controller 1420 transferring data with an ex- 
terna! source via data bus BS3 to receive reproduction 
information and the like with data bus BS4to control the 
operation of memory card 110. 
[0079] "Reception log" indicating the reception status 
of the reproduction information stored in log memory 
1460 includes the transaction ID, session key Ks2, and 
the like. In the first embodiment, the reception log infor- 
mation corresponds to data generated in the event of 
license reception, and is erased when reception and 
storage of the reproduction information to memory card 
110 are completed, 

[0080] It is assumed that the region TRM enclosed by 
the solid line in Fig, 5 is incorporated in a module TRM 
to disable readout of data and the like in the circuit lo- 
cated in that region by a third party by erasing the inter- 
nal data or destroying the internal circuitry when an im- 
proper open process is conducted from an external 
source. Such a module is generally a tamper resistant 
module. 

[0081]' A structure may be implemented in which 
memory 1415 is also incorporated in moduleTRM. How- 
ever, since the data stored in memory 1 41 5 is complete- 
ly encrypted according to the structure shown in Fig. 6, 
a third party will not be able to reproduce the music with 
just the data in memory 1415. Furthermore, it is not nec- 
essary to provide memory 1 41 5 in the expensive tamper 
resistance module. Thus, there is the advantage that the 
fabrication cost is reduced. 

[Distribution Operation] 

[0082] The operation in each session of the data dis- 
tribution system according to an embodiment of the 
present invention will be described in detail hereinafter 
with reference to the flow charts. 
[0083] Figs. 6, 7 and 8 are the first, second and third 
flow charts, respectively, to describe a distribution oper- 
ation in the event of purchasing content according to the 
data distribution system of the first embodiment {also 
called "distribution session" hereinafter). 
[0084] Figs. 6-8 correspond to the operation of user 
1 receiving content data distribution from distribution 



server 30 via cellular phone 1 00 using memory card 110. 
[0085]. First, a distribution request is issued from cel- 
lular phone 100 of user 1 through the operation of the 
key buttons on touch key unit 1108 by user 1 (step 
s S100). 

[0086] At memory card 110, authentication data {KP- 
mc{1}}KPma is output from authentication data hold unit 
1 400 in response to the distribution request (step S 1 02). 
[0087] Celluiar phone 100 transmits to distribution 

10 server30 authentication data {KPp(1 )}KPma for authen- 
tication of cellular phone 100 per se, the content ID and 
license purchase condition AC in addition to authentica- 
tion data {KPmc{1)}KPma accepted from memory card 
110 for authentication (step S104). 

is [0088] Distribution server 30 receives the content ID, 
authentication data{KPmc(1)}KPma, {KPp(1)}KPma, li- 
cense purchase condition data AC from cellular phone 
100 (step S106). Decryption processing unit 312 exe- 
cutes a decryption process using authentication key KP- 

20 ma. Accordingly, distribution server 30 accepts public 
encryption key KPmc(1) of memory card 110 and KPp 
(1) which is the public encryption key of cellular phone 
100 (step S108). 

[0089] Distribution control unit 31 5 conducts authen- 

25 tication by authentication server 12 based on the ac- 
cepted secret encryption keys KPmc(1) and KPp(1) 
(step S11 0). When these public encryption keys are val- 
id, control proceeds to the next process (step 31 12). 
When these public secret keys are invalid, the process 

30 ends (stepS 170). 

[0090] In verifying the authenticity of public encryption 
key KPp(1) or KPmc(1) in the decryption process by au- 
thentication key KPma, authentication server 12 per- 
forms the authentication. Since public encryption key 

35 KPp(1 ) or KPmc(1 ) is encrypted so that its authenticity 
can be determined by decrypting using authentication 
key KPma, a structure may be implemented in which 
distribution control unit 315 of license server 10 per- 
forms authentication from the decryption result using 

40 authentication key KPma. 

[0091] When verification is made that the distribution 
is towards a proper memory card as a result of authen- 
tication, distribution control unit 315 generates a trans- 
action ID to identify the distribution session (step S112). 

« [0092] When verification is made that the distribution 
is towards a proper memory card as a result of authen- 
tication, distribution control unit 315 also records the 
transaction ID, content ID, public encryption keys KPmc 
{1)and KPp(1) in administration database 306 together 

so with the information indicating unsettled accounting (ac- 
counting status flag) as the license distribution log (step 
S113). 

[0093] At distribution server 30, session key genera- 
tion unit 316 generates a session key Ks1 for distribu- 
55 tion. Session key Ks1 is encrypted by encryption 
processing unit 318 using a public encryption key KPmc 
(1) corresponding to memory card 110 obtained from 
decryption processing unit 31 2. 
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[0094] The transaction ID and encrypted session key 
{Ks1}Kmc{1) are output via data bus BS1 and commu- 
nication device 350 (step S116). 
[0095] Upon reception of the transaction ID and en- 
crypted session key {Ks1 }Kmc(1 ) at cellular phone 1 00, 
(step S118), the received data is applied onto data bus 
8S3 via memory interface 1 200 in memory card 1 1 0. 
Decryption processing unit 1 404 decrypts {Ks1)Kmc(1) 
using a private decryption key Kmc(1 ) unique to memory 
card 110 stored in hold unit 1402, whereby session key 
Ks1 is decrypted and extracted. As a result, the trans- 
action ID and session key Ks1 are accepted {step 
S120). 

[0096] The procedure up to step S120 is referred to 
as the "transaction ID obtain step", 
[0097] Referring to Fig, 7, upon confirmation of the ac- 
ceptance of session key Ks1 generated at distribution 
server 30, controller 1420 designates session key gen- 
eration unit 1 41 8 to generate a session key Ks2 gener- 
ated in the distribution operation of the memory card. 
Controller 1420 also records in log memory 1460 ses- 
sion key Ks2 together with the received transaction ID 
(stepS121). 

[0098] Encryption processing unit 1 406 encrypts ses- 
sion key Ks2 appiied by sequential switching of the con- 
tact of switches 1 444 and 1 446 as well as public encryp- 
tion key KPmc(1) using session key Ks1 applied from 
decryption processing unit 1 406 via contact Pa of switch 
1442, whereby {Ks2//KPm(1)]Ks1 is output onto data 
bus BS3 (step S122). 

[0093] Encrypted data {Ks2//KPm(1 )}Ks1 output onto 
data bus BS3 is transmitted from data bus BS3 to cel- 
lular phone 1 00 via terminal 1 202 and memory interface 
1200, and then transmitted from cellular phone 100 to 
distribution sorvor 30 (stop S124). 
[01 00] Distribution server 30 receives encrypted data 
{Ks2//KPm(1))Ks1 to execute a decryption process us- 
ing session key Ks1 by decryption processing unit 320. 
Session key Ks2 generated at the memory card and 
public encryption key KPm(1) unique to memory card 
110 are accepted (step S126). 
[0101] Distribution control unit 315 generates access 
restriction information AC1 and reproduction circuit re- 
striction information AC2 according to the content ID 
and license purchase condition data AC obtained at step 
S106 (step S130). Also, license key Kc to decrypt the 
encrypted content data is obtained from information da- 
tabase 304 (stepS 132). 

[0102] Distribution control unit 315 applies the ob- 
tained license key Kc and reproduction circuit restriction 
information AC2 to encryption processing unit 324. En- 
cryption processing unit 324 encrypts license key Kc 
and reproduction circuit restriction information AC2 us- 
ing secret common key Kcom obtained from Kcom hold 
unit 322 (step S134). 

[0103] Encrypted data {Kc//AC2}Kcom output from 
encryption processing unit 324, and the transaction ID, 
content ID and access restriction information AC1 out- 



put from distribution control unit 315 are encrypted by 
encryption processing unit 326 using a public encryption 
key KPm(1 } unique to memory card 1 1 0 obtained by de- 
cryption processing unit 320 (step S136), 
5 [0104] Encryption processing unit 328 receives the 
output of encryption processing unit 326 and applies en- 
cryption using session key Ks2 generated by memory 
card 110 (step S1 37). 

[0105] Distribution control unit315 records access re- 
10 striction information AC1 , reproduction circuit restriction 
information AC2, public encryption key KPm(1 ), session 
key Ks2 in log data administration database 306 togeth- 
er with the information of settled accounting (accounting 
status flag) (step S 138). 
is [0106] Encrypted data {{{Kc//AC2}Kcom//transaction 
ID//content ID//AC1}Km(1)}Ks2 output from encryption 
processing unit 328 is transmitted to cellular phone 1 00 
via data bus BS1 and communication device 350 (step 
S139). 

so [0107J By transferring respective session keys gener- 
ated at the transmission server and memory card to 
each other to execute encryption using respective re- 
ceived encryption keys and transmitting the encrypted 
data to the other party, authentication of each other can 
2$ be virtually conducted in the transmission/reception of 
respective encrypted data. Thus, security of the data 
distribution system can be improved. Furthermore, dis- 
tribution server 30 will record and store the accounting 
status and information associated with the distribution 
30 history. 

[0108] Cellular phone 100 receives the transmitted 
encrypted data {{{Kc//AC2jKcom//transactlon ^//con- 
tent ID//AC1}Km(1)}Ks2 (step S140). At memory card 
110, the received data applied onto data bus BS3 via 
35 memory interface 1200 is decrypted by decryption 
processing unit 1412. Specifically, decryption process- 
ing unit 1412 decrypts the reception data on data bus 
BS3 using session key Ks2 applied from session key 
generation unit 1418 and provides the decrypted data 
*o onto data bus BS4 (step S144). 

[0109] Referring to Fig. 8, data {{Kc//AC2}Kcom//li- 
cense ID//content ID//AC1}Km(1) decryptable with pri- 
vate decryption key Km(1) stored in Km(1) store unit 
1421 is output onto data bus BS4 at the stage of step 
45 S144. This data ({Kc//AC2}Kcom//transaction ©//con- 
tent ID//AC1}Km(1) is first decrypted by a private de- 
cryption key Km(1), whereby data {Kc//AC2}Kcom, the 
transaction ID, content ID, and access control informa- 
tion AC1 which are the reproduction information are ac- 
so cepted(stepS146). 

[0110] The transaction ID, content ID and access re- 
striction information AC1 are recorded in license infor- 
mation hold unit 1440. Data {Kc//AC2}Kcom is encrypt- 
ed again with public encryption key KPm(1) and stored 
ss in memory 141 5 as data {{Kc//AC2}Kcom}Km{1 ) (step 
S148). 

[0111J The reception log in log memory 1460 is 
erased (step S1 50). 
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[0112] The process from step S121 io step S150 is 
referred to as the "reproduction information obtain step". 
In this "reproduction information obtain step", the ac- 
counting subject process is carried out. 
[0113] At the stage of proper completion of the proc- 
ess up to step S150, a content data distribution request 
is issued from cellular phone 100 to distribution server 
30 (step S152). 

[0114] In response to reception of a content data dis- 
tribution request, distribution server 30 obtains encrypt- 
ed content data {DataJKc and additional information Da- 
ta-inf from information database 304 and outputs the 
same via data bus BS1 and communication device 350 
(step S154). 

[0115] Cellular phone 100 receives {Data}Kc//Data~ 
inf, and accepts encrypted content data {Data}Kc and 
additional information Data-inf (step S156). Encrypted 
content data {Data}Kc and additional information Data- 
inf are' transmitted onto data bus BS3 of memory card 
110 via memory interface 1200 and terminal 1202. At 
memory card 110, the received encrypted content data 
{DataJKc and additional information Data-inf are directly 
stored in memory 1415 (step S158). 
[0116] The process from step S152 to step S158 is 
referred to as the "content data obtain step", in this "con- 
tent data obtain step", a process not subject to account- 
ing is carried out. 

[0117] A distribution acceptance notification is trans- 
mitted from memory card 110 to distribution server 30 
(step S160). Upon reception of the distribution accept- 
ance at distribution server 30 (step S1 62), the distribu- 
tion end process is executed accompanying storage of 
the accounting data into account database 302 (step 
S164). Thus, the distribution server process ends (step 
S170). 

[Reconnection Operation] 

[0118] The process when reconnection is to be estab- 
lished to receive distribution again when the communi- 
cation line is disrupted during the stage of the above- 
described process of the distribution operation will be 
described hereinafter. Fig. 9 is a flow chart to describe 
a reconnection process, 

[0119] User 1, for example, requests reconnection 
through the key button or the iike on keyboard 1108 of 
cellular phone 100, whereby the reconnection process 
is initiated (step S200). 

[0120] Controller 1106 of cellular phone 100 deter- 
mines the processing step where communication was 
disrupted (step S202). If disruption has occurred in the 
transaction ID obtain step, the basicdistribution process 
of Figs. 6-8 (first reconnection process) is effected since 
it is not relevant to accounting (step S204). Then, the 
reconnection process ends (step S206). 
[0121] When determination is made that the step 
where communication has been disrupted is the license 
obtain step (step S202), controller 1 1 06 carries out a 



second reconnection process based on a reception log 
that will be described afterwards (step S206). When 
communication has been disrupted in the content data 
obtain step (step S202), a third reconnection process to 
5 continue communication corresponding to communica- 
tion disruption that will be described afterwards is effect- 
ed (step S206). Then, the reconnection process ends 
(stepS210). 

10 [Second Reconnection Process] 

[0122] Figs. 10, 11 and 12 are the first, second and 
third flow charts, respectively, to describe a second re- 
connection process in the data distribution system of the 
is first embodiment. By comparing the license distribution 
log of license server 1 0 and the reception log of memory 
card 110, the reproduction information distribution sta- 
tus when communication has been disrupted is con- 
firmed to realize reliability for the user while protecting 
20 the rights of copyright owners. 

[0123] Referring to Fig. 10, user 1 operates the key 
button of keyboard 1108 of cellular phone 100 to issue 
a reconnection request. In response, the second recon- 
nection process is initiated (step S300). 
2s [0124] In response to this reconnection request, the 
transaction ID stored in log memory 1460 is output at 
memory card 110 (step S302). 
[0125] Cellular phone 100 transmits the transaction 
ID accepted from memory card 1 1 0 towards distribution 
20 server 30 (step S304). 

[0126] At distribution server 30, the transaction ID is 
received (step S306). Distribution control unit 315 re- 
trieves the license distribution log from log admlnlstra- 
. tion database 306 (step S308). 
35 [0127] When an accounting process has been al- 
ready performed for the terminal that has requested re- 
connection (cellular phone 100 and memory card 110} 
from the received transaction ID (step S308), distribu- 
tion control unit 31 5 obtains public encryption key KPmc 
40 (1) from the license distribution log (step S310). 

[0128] Session key generation unit 316 generates a 
session key Ks1 for distribution. Session key Ks1 is en- 
crypted by encryption processing unit 318 using public 
encryption key KPmc(1) (step S312). 
45 [0129] The transaction ID and encrypted session key 
{Ks1}Kmc(1) are output via data bus BS1 and commu- 
nication device 350 (step S31 4). 
[0130] In response to reception of the transaction ID 
and encrypted session key {Ks1}Kmc(1} at cellular 
so phone 1 00 (step S31 6), decryption processing unit 1 404 
of memory card 110 decrypts the received data applied 
onto data bus BS3 via memory interface 1200 using a 
private decryption key Kmc(1) unique to memory card 
110 stored in hoid unit 1402, whereby session key Ks1 
55 is decrypted and extracted (step S31 8). 

[0131] The subsequent steps are similar to the proc- 
ess after step S121 of Fig. 7, i.e., the process following 
the license obtain step. 
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[0132] When determination is made that the account- 
ing process has not been completed as a result of look- 
ing in the license distribution log from log administration 
database 306 by distribution control unit 315 at step 
S308, public encryption key KPmc(1) is obtained from s 
the license distribution log (step S330). 
[0133] Then, session key generation unit 316 at dis- 
tribution server 30 generates a session key Ks1 for dis- 
tribution. Session key Ks1 is encrypted by encryption 
processing unit 318 using public encryption key KPmc io 
(1) (stepS332). 

[0134] The transaction ID and encrypted session key 
{Ks1}Kmc{1) are output via data bus BS1 and commu- 
nication device 350 (step S334). 

[0135] In response to reception of the transaction ID '5 
and encrypted session key {Ks1}Kmc(1) at cellular 
phone 1 00 (step S336), decryption processing unit 1 404 
decrypts the reception data applied onto data bus BS3 
via memory interface 1200 using private decryption key 
Kmc(1) unique to memory card 110 stored in hold unit 2° 
1402, whereby session key Ks1 is decrypted and ex- 
tracted (step S338). 

[0136] Encryption processing unit 1406 encrypts the 
received log with session key Ks1 to generate {reception 
log}Ks1 (step S340). 25 
[0137] Referringto Fig. 11, controller 1420 designates ■ 
session key generation unit 1 41 8 to generate a session 
key Ks2' generated in the distribution operation of the 
memory card (step S342). 

[0138] Encryption processing unit 1406 encrypts ses- so 
sion key Ks2' applied via the contacts of switches 1 444 
and 1446 using session key Ks1 applied from decryption 
processing unit 1404 via contact Pa of switch 1442 to 
generate {Ks2'}Ks1 . The generated data {reception log} 
Ks1 and {Ks2'}Ks1 are output from memory card 110 35 
(step S344). 

[0139] Encrypted data {reception log}Ks1 and {Ks2'} 
Ks1 output onto data bus BS3 are transmitted from data 
bus BS3 to cellular phone 100 via terminal 1202 and 
memory interface 1200, and transmitted from cellular *> 
phone 1 00 to distribution server 30 (step S346). 
[01 40] Distribution server 30 receives encrypted data 
{reception logJKsl and {Ks2'}Ks1 . Decryption process- 
ing unit 320 executes a decryption process using ses- 
sion key Ks1, whereby session key Ks2' generated by 4 ^ 
the reception log and memory card is accepted (step 
S348). 

[0141] Then, distribution control unit 316 verifies the 
authenticity of the received reception log (step S350). 
[0142] When authenticity of the reception log is not so 
verified, the second reconnection process ends (step 
S390). 

[0143] In contrast, when the authenticity of the recep- 
tion log is verified, distribution control unit 315 obtains 
the content ID, access restriction information AC1, re- 55 
production circuit restriction information AC2 and public 
encryption key KPm(1) from the license distribution log 
(step S352). Then, license key Kc to decrypt the en- 



crypted content data is obtained from information data- 
base 304 (step S354). 

[0144] Distribution control unit 315 applies the ob- 
tained license key Kc and reproduction circuit restriction 
information AC2 to encryption processing unit 324. En- 
cryption processing unit 324 encrypts license key Kc 
and reproduction circuit restriction information AC2 us- 
ing secret common key Kcom obtained from Kcom hoid 
unit 322 (step S356). 

[0145] Encrypted data {Kc//AC2)Kcom output from 
encryption processing unit 324 and the transaction ID, 
content ID and access restriction information AC1 out- 
put from distribution control unit 315 are encrypted by 
encryption processing unit 326 using public encryption 
key KPm(1 ) unique to memory card 1 1 0 obtained at step 
S352 (step S358). 

[0146] Encryption processing unit 328 receives the 
output of encryption processing unit 326 to encrypt the 
output using session key Ks2' generated at memory 
card 110 (step S360). 

[0147] Encrypted data {{{Kc//AC2}Kcom//transaction 
ID//content ID//AC1}Km(1)}Ks2' output from encryption 
processing unit 328 is transmitted to cellular phone 1 00 
via data bus BS1 and communication device 350 (step 
S362). 

[0148] Cellular phone 100 receives the transmitted 
encryption data {{{Kc//AC2}Kcom//transaction 1D//con- 
tent ID//AC1}Km(1)}Ks2* (step S364). 
[0149] Referringto Fig. 12, memory card 110 has the 
reception data applied onto data bus BS3 via memory 
interface 1200 decrypted by decryption processing unit 
1412. Specifically, decryption processing unit 1412 uses 
session key Ks2' applied from session key generation 
unit 1418 to decrypt the reception data on data bus BS3, 
and provides the decrypted data onto data bus BS4 
(step S366). 

[0150] At this stage, data {{Kc//AC2)Kcom//transac- 
tion iD//content ID//AC1}Km(1) decryptabie with private 
decryption key Km(1) stored in Km(1) hold unit 1421 is 
output onto data bus BS4, This data {{Kc//AC2}Kcom// 
transaction iD//content ID//AC1}Km(1) is decrypted with 
private decryption key Km(1), whereby data {Kc//AC2) 
Kcom, the transaction ID, the content ID, and access 
restriction information AC1 corresponding to the repro- 
duction information are accepted (step S368). 
[0151] The transaction ID, content ID, access restric- 
tion information AC1 are stored in license information 
hold unit 1440. Data {Kc//AC2}Kcom is encrypted again 
using a private decryption key KPm{1) and stored in 
memory 1415 as data {{Kc//AC2}Kcom}Km(1) (step 
S370). 

[0152] Also, the reception log is erased from log mem- 
ory 1460 (stepS372). 

[0153] At the stage of proper completion of the proc- 
ess up to step S372, a content data distribution request 
is issued from cellular phone 100 to distribution server 
30 (step S3 74), 

[0154] In response to this content data distribution re- 
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quest, distribution server 30 obtains encrypted content 
data {Data}Kc and additional information Data-inf from 
information database 304. These data are output via da- 
ta bus BS1 and communication device 350 {step S376). 
[0155] Cellular phone 100 receives {Data}Kc//Data- 
inf, and accepts encrypted content data {Data}Kc and 
additional information Data-inf (step S378). Encrypted 
content data {DataJKc and additional information Data- 
inf are transmitted onto data bus BS3 of memory card 
110 via memory interface 1200 and terminal 1202, At 
memory card 110, the received encrypted content data 
{DataJKc and additional information Data-inf are directly 
stored in memory 1415 (step S380). 
[0156] A distribution reception notification is transmit- 
ted from memory card 1 1 0 to distribution server 30 (step 
S382). When the distribution acceptance is received at 
distribution server 30 (step S384), the distribution end 
process is executed (step S386). The process of thedis- 
tribution server ends (step S3 90). 

[Third Reconnection Process] 

[01 57] Fig. 1 3 is a flow chart to describe a third recon- 
nection operation in the data distribution system of the 
first embodiment. 

[0158] Referring to Fig. 13, user 1 sends a reconnec- 
tion request through the key button on keyboard 1108 
of cellular phone 100. In response, a third reconnection 
process is initiated (step S400). 
[0159] In response to this reconnection request, cei- 
lular phone 100 sends a content data distribution re- 
quest to distribution server 30 (step S402). 
[0160] In response to this content data distribution re- 
quest, distribution server 30 obtains encrypted content 
data {DataJKc and additional information Data-inf from 
information database 304. These data are output via da- 
ta bus BS1 and communication device 350 (step S404). 
[0161] Cellular phone 100 receives {DataJKc//Data- 
inf, and accepts encrypted content data {DataJKc and 
additional information Data-inf (step S406). Encrypted 
content data {DataJKc and additional information Data- 
inf are transmitted onto data bus BS3 of memory card 
110 via memory interface 1200 and terminal 1202. At 
memory card 110, the received encrypted content data 
{DataJKc and additional information Data-inf are directly 
stored in memory 1415 (step S408). 
[0162] Then, a distribution acceptance notification is 
transmitted from memory card 1 1 0 to distribution server 
30 (step S410). When distribution server 30 receives 
this distribution acceptance (step S412), a distribution 
end process is executed (step S414). The process of 
the distribution server ends (step S416). 

[Reconnection Operation When Line is Cut During 
Reconnection Operation] 

[0163] The process of establishing reconnection to re- 
ceive distribution again in the case where the commu- 



nication line is cut off in the stage of the processing step 
of the above-described reconnection operation wiil be 
described here. Fig. 14 is a flow chart to describe such 
a reconnection process, 
s [0164J User 1 , for example, operates the key button 
on keyboard 1108 of cellular phone 100 to send a re- 
connection request. The reconnection process is initiat- 
ed (step S500). 

[0165] Based on the license reception standby log 
10 stored in memory card 110, controller 1 1 06 determines 
the step where communication has been disrupted {step 
S502). When communication has been disrupted at the 
license obtain step or license reobtain step, the second 
reconnection process is performed again {step S504). 
is Then, the reconnection process ends {step S508). 
[0166] When determination is made that the step 
where communication has been disrupted is the content 
data obtain step by controiler 1106 (step S502), a third 
reconnection process that will be described afterwards 
so is carried out (step S506). Then, the reconnection proc- 
ess ends (step S508). 

[0167] By virtue of such a structure, reconnection can 
be established even in the case where the communica- 
tion line has been disrupted in the processing step. 
25 Thus, the reliability of the system is further improved. 

[Second Embodiment] 

[01 68] The data distribution system of the second em- 
30 bodiment differs in the data distribution system of the 
first embodiment in that the license reception standby 
log stored in log memory 1460 in memory card 110 is 
not erased, as will be described hereinafter. Corre- 
sponding to this modification, the reception log includes, 
35 in addition to the structure of the first embodiment, a re- 
ception status flag. 

[0169] The data distribution system of the second em- 
bodiment differs from the first embodiment in the oper- 
ation of controller 1 420 in memory card 1 1 0 and the data 

40 stored in log memory 1 460. 

[0170] Figs. 15, 16 and 17 are the first, second and 
third flow charts, respectively, to describe a distribution 
operation in the event of purchasing content in the data 
distribution system of the second embodiment, and is 

45 comparable to Figs. 6-8 of the first embodiment. 

[0171] Figs. 15-17correspondtotheoperation of user 
1 receiving music data distribution from distribution 
server 30 via cellular phone 1 00 by using memory card 
110. 

so [0172] The difference from the flow of the first embod- 
iment is that, atstepS121'of Fig. 16 following the trans- 
action ID obtain step, controller 1420 designates ses- 
sion key generation unit 141 8 to generate a session key 
Ks2 generated during the distribution operation of the 

55 memory card upon confirming acceptance of session 
key Ks1 generated at distribution server 30. Further- 
more, controller 1420 records a reception status flag at- 
taining an ON status indicating a reception wait state as 



14 



25 



EP 1 237 324 A1 



26 



the reception log in log memory 1460 together with ses- 
sion key Ks2 and the received transaction ID (step 
S121'). 

[0173] Referring to Fig. 1 7, at step S1 48, the transac- 
tion ID, content ID and access restriction information 
AC1 are recorded in license information hoid unit 1440. 
Data {Kc//AC2)Kcom is encrypted by public encryption 
key KPm(1), and stored in memory 1415 as data {{Kc// 
AC2}Kcom}Km(1 }. Then, the reception status flag in the 
reception log in log memory 1 460 attains an OFF status 
indicating that reception has ended (step S150'). 
[0174J The remaining process is similar to that of the 
first embodiment. The same steps have the same refer- 
ence characters allotted, and description thereof will not 
be repeated. 

[Reconnection Operation] 

[0175] Similar to Fig. 9 of the first embodiment, the 
second embodiment carries out a reconnection process 
to receive distribution again when the communication 
line has been disrupted at the stage of the processing 
step of the distribution operation. 
[0176] It is to be noted that the second reconnection 
process is partially modified from that of the first embod- 
iment. 

[Second Reconnection Process] 

[0177] Figs. 18, 19 and 20 are the first, second and 
third ffow charts, respectively, to describe a second re- 
connection operation in the data distribution system of 
the second embodiment, and are comparable to Figs. 
10-12 of the first embodiment. 
[01 78] Difference from the process of the first embod- 
iment is that control proceeds to step S121' of Fig. 16 
after accepting session key Ks1 at step S318, and the 
transaction ID, content ID and access restriction infor- 
mation AC1 are recorded in license information hold unit 
1440 at step S370 shown in Fig. 20. Data {Kc//AC2} 
Kcom is encrypted using public encryption key KPm(1 ), 
and stored in memory 1415 as data {{Kc//AC2}Kcom} 
Km(1). Then at step S372', a process of rendering the 
reception status flag of the reception log OFF indicating 
that reception has ended is carried out. 
[0179] The remain process is similar to that of first em- 
bodiment. Corresponding steps have the same refer- 
ence characters allotted, and description thereof will not 
be repeated. 

[0180] The third reconnection process as well as the 
reconnection operation when the line is cut off during a 
reconnection operation are similar to the process of Fig. 
1. 

[0181] By such a structure, reconnection can be es- 
tablished even in the case where the communication 
line is disrupted in the processing step. Thus, the relia- 
bility of the system is further improved. 



[Third Embodiment] 

[0182] The distribution system of the third embodi- 
ment differs from the data distribution system of the sec- 

5 ond embodiment in that status information with a status 
flag is transmitted to the server in the reception log 
stored in log memory 1460 in memory card 110. 
[0183] The status information includes the transaction 
ID, session key Ks2, reception status flag and status f iag 

10 corresponding to the reception log. 

[0184] Here, the license status flag is a flag variable 
of 3 states. The license status flag takes the value of 
"01 h" when the transaction ID recorded in the reception 
log is present in license information hold unit 1440 of 

15 memory card 110, corresponding reproduction informa- 
tion is present, and reproduction is not inhibited by the 
access restriction information stored in license informa- 
tion hold unit 1440, i.e. when in a reproducible state; 
takes the value of "OOh" when there is the transaction 

20 ID in the license information hold unit, and there is no 
corresponding reproduction information or when repro- 
duction is inhibited by the access restriction information 
stored in license information hold unit 1440 so that re- 
production cannot be performed; and takes the value of 

25 *FFh" when there is no transaction ID. 

[0185] The structure of the data distribution system of 
the third embodiment differs in the operation of control- 
ler 1420 of memory card 1 1 0 and the data stored in log 
memory 1 460 as wili be described hereinafter, 

30 [0186] The distribution operation and reconnection 
operation of the third embodiment are similar to those 
of the second embodiment except forthe second recon- 
nection process set forth beiow. 



[0187] Figs. 21 , 22, 23 and 24 are the first, second, 
third and fourth flowcharts, respectively, to describe the 
second reconnection operation of the data distribution 
40 system of the third embodiment. 

[0188] Referring to Fig, 21, the process from step 
S300 to step S338 is similar to the second reconnection 
operation of the second embodiment. 
[0189] At step S338, the reception data applied onto 
45 data bus BS3 via memory interface 1200 in memory 
card 110 is decrypted by decryption processing unit 
1404 using private decryption key Kmc(l) unique to 
memory card 1 1 0 stored in hoid unit 1 402, whereby ses- 
sion key Ks1 is decrypted and extracted. Then, control- 
so ler 1 420 in memory card 1 1 0 retrieves data stored in li- 
cense information hoid unit 1440 according to the trans- 
action ID In the reception log stored in log memory 1 460 
(step S640). 

[0190] Controiler 1420 checks whether there is a 
55 transaction ID in license information hold unit 1 440 (step 
S642). 

[0191] When there is no transaction ID, the license 
status flag is set to "FFh" (step S644), and control pre- 
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ceeds to step S6S2. 

[01 92] When there is the transaction ID at step S642, 
controller 1420 confirms the status of access restriction 
information AC1 stored in license information hold unit 
1 440 and whether a corresponding license key Kc is re- 
corded in memory 1415 (step S646). When reproduc- 
tion is allowed, the license status flag is set to "01 h" (step 
S648). When reproduction is not allowed, the license 
statusflag is set to "00h H (step S850). Then, control pro- 
ceeds to step S652). 

[0193] The status information with thestatus flag add- 
ed to the reception log stored in log memory 1460 is gen- 
erated (step S652). 

[0194] Controller 1482 designates session key gen- 
eration unit 1418 to generate a session key Ks2' gener- 
ated in the distribution operation of the memory card 
(step S654). 

[0195] Decryption processing circuit 1406 decrypts 
the status information and session key Ks2' using ses- 
sion key Ks1 (step S858). 

[0196] Controller 1 420 obtainsthe hash value accord- 
ing to the hash function corresponding to encrypted data 
{status information//Ks2'}Ks1 to generate signature da- 
ta "hash" for encrypted data (status infotmation//Ks2'} 
Ks1 (step S658). 

[0197] Encryption processing unit 1406 encrypts the 
signature data hash applied under control of controller 
1420 using session key Ks1 applied from decryption 
processing unit 1402 via contact Pa of switch 1442 to 
generate encrypted signature data (hash}Ks1 (step 
S660), 

[0198] The generated data {status information//Ks2'} 
Ks1 and encrypted signature data {hashJKsl are output 
from memory card 110 (step S662). 
[0199] Encrypted data {status information//Ks2'}Ks1 
and encrypted signature data {hashJKsl output onto da- 
ta bus BS3 are transmitted from data bus BS3 to cellular 
phone 100 via terminal 1202 and memory interface 
1200, and transmitted from cellular phone 100 to distri- 
bution server 30 (step S644), 
[0200] Distribution server 30 receives encrypted data 
{status information//Ks2')Ks1 and encrypted signature 
data {hash}Ks1 (step S666). 

[0201] Referringto Fig. 23, decryption processing unit 
320 of distribution server 30 executes a decryption proc- 
ess on encrypted signature data {hashJKsl using ses- 
sion key Ks1 to obtain signature data hash correspond- 
ing to encrypted data {status information//Ks2']Ks1. 
Then, the authenticity of the status information is 
checked based on encrypted data {status information// 
Ks2'}Ks1 and the signature data (step S668). 
[0202] The process ends if the status information is 
notproper(stepS712),Whentheauthenticityofthe sta- 
tus information is verified, a decryption process is exe- 
cuted usingsession key Ks1 . Thestatus information and 
session key KS2' generated by the memory card are ac- 
cepted (step S670). 

[0203] Distribution control unit 315 verifies the au- 



thenticity of the reproduction information retransmission 
request based on the received status information and 
license distribution log (step S672). 
[0204] When the authenticity of the reproduction in- 

s formation retransmission request is not verified, the sec- 
ond reconnection process ends (step S712). 
[0205] In contrast, if the authenticity of the reproduc- 
tion information transmission request is verified, distri- 
bution controi unit 315 obtains the content ID, access 

10 restriction information AC1 , reproduction circuit restric- 
tion information AC2 and public encryption key KPm(1) 
from the license distribution log (step S674). Then, It- 
cense key Kc to decrypt the encrypted content data is 
obtained from information database 304 (step S676). 

'5 [0206] Distribution control unit 315 applies the ob- 
tained license key Kc and reproduction circuit restriction 
information AC2 to encryption processing unit 324. En- 
cryption processing unit 324 encrypts license key Kc 
and reproduction circuit restriction information AC2 us- 

20 ing secret common key Kcom obtained from Kcom hold 
unit 322 (step S678). 

[0207] Encrypted data {Kc//AC2)Kcom output from 
encryption processing unit 324, and the transaction ID, 
content ID and access restriction information AC1 out- 
25 put from distribution control unit 315 are encrypted by 
encryption processing unit 326 using public encryption 
key KPm{1) unique to memory card 1110 obtained at 
step S674 (step S680). 

[0208] Encryption processing unit 328 receives the 
30 output of encryption processing unit 326 to encrypt the 
same using session key Ks2' generated at memory card 
110 (step S682). 

[0209] The encrypted data {{{Kc//AC2}Kcom//trans- 
action ID//content ID//AC1}Km(1)}Ks2' output from en- 
35 cryption processing unit 328 is transmitted to cellular 
phone 1 00 via data bus BS1 and communication device 
350 (step S684). 

[0210] Cellular phone 100 receives the transmitted 
encrypted data {{{Kc//AC2}Kcom//transaction ID//con- 

40 tent ID//AC1}Km{1)]Ks2' (step S686). 

[0211] Referringto Fig. 24, memory card 110 has the 
reception data applied onto data bus BS3 via memory 
interface 1 200 decrypted by decryption processing unit 
1412. Decryption processing unit 1412 uses session 

45 key Ks2' applied from session key generation unit 1418 
to decrypt the reception data on data bus BS3. The de- 
crypted data is output onto data bus BS4 (step S690). 
[0212] At this stage, data {{Kc//AC2}Kcom//license 
■ID//content ID//AC1}Km{1) that can be decrypted with 

so private decryption key Km(1) stored in Km(1) hold unit 
1421 is output. This data {{Kc//AC2}Kcom//transaction 
ID//content ID//AC1}Km(1) is decrypted by public en- 
cryption key Km(1 ), whereby data {Kc//AC2}Kcom, the 
transaction ID, content ID and access restriction infor- 

55 maiion AC1 are accepted (step S692). 

[0213] The transaction ID, content ID, access restric- 
tion information AC1 are recorded in license information 
hold unit 1440. Data {Kc//AC2}Kcom is encrypted with 
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public encryption key KPm(1), and stored in memory 
1415 as data {{Kc//AC2}Kcom}Km(1) (step S694). 
[0214] Then, the reception status flag in the reception 
log in log memory 1460 is altered to the off state indi- 
cating that reception has ended {step S696), 
[0215] At the stage of proper completion of the proc- 
ess up to step S372, a content data distribution request 
is issued from cellular phone 100 to distribution server 
30 (step S698). 

[0216] In response to this content data distribution re- 
quest, distribution server 30 obtains encrypted content 
data {DataJKc and additional information Data-inf from 
information database 304. These data are output via da- 
ta bus BS1 and communication device 350 (step S700). 
[0217] Cellular phone 100 receives |Data}Kc//Data- 
inf, and accepts encrypted content data {Data}Kc and 
additional information Data-inf (step S702). Encrypted 
content data {DataJKc and additional information Data- 
inf are transmitted onto data bus BS3 of memory card 
110 via memory interface 1200 and terminal 1202, At 
memory card 110, the received encrypted content data 
{Data}Kc and additional information Data-inf are directly 
stored in memory 1415 (step S704). 
[0218] A distribution acceptance notification is trans- 
mitted from memory card 110 to distribution server 30 
(step S706). When the distribution acceptance is re- 
ceived at distribution server 30 (step S708), the distri- 
bution end process is executed (step S710). The proc- 
ess of the distribution server ends (step S712). 
[0219] The above description is based on a structure 
in which all the status information is encrypted using 
session key Ks1 at step S654, and encrypted data {sta- 
tus information//Ks2'}Ks1 is transmitted to distribution 
server 30 at steps S622 and S624. 
[0220] The transaction ID in the status information is 
required only to identify its source so that its security is 
not so important. Since the source becomes apparent 
by encrypted signature data {hash}Ks1 , the transaction 
ID does not have to be encrypted and can be transmitted 
to distribution server 30 in plaintext. In this case, the sta- 
tus information will be transmitted as transaction ID// 
{status information excluding transaction ID//Ks2'}Ks1, 
and signature data hash will be generated correspond- 
ingly. 

[0221] By such a structure, reconnection can be es- 
tablished even when the communication Sine has been 
cut off in the processing step. Thus, the reliability of the 
system is further improved. 

[0222] The data distribution system of the first to third 
embodiments was described in which encryption and 
decryption are carried out using secret common key 
Kcom at distribution server 30 and cellular phone 100. 
A structure implementing encryption and decryption 
without this secret common key Kcom is allowed. 
[0223] I n other words , a structure can be implemented 
in which distribution server30 corresponding to the data 
distribution system of the first embodiment described 
with reference to Fig. 3 is absent of Kcom hold unit 322 



and encryption processing unit 324. More specifically, 
license key Kc and reproduction circuit restriction infor- 
mation AC2 output from distribution control unit 31 5 can 
be directly transmitted to encryption processing unit 326 

s in distribution server 30. 

[0224] Furthermore in comparison to the structure of 
cellular phone 1 00 described with reference to Fig. 4 in 
the first embodiment, a structure can be implemented 
absent of Kcom hold unit 1512 storing a secret common 

10 key Kcom and a decryption processing unit 1514 using 
secret common key Kcom. 

[0225] In cellular phone 101 of such a structure, li- 
cense key Kc is directly obtained by decryption process- 
ing unit 151 0 that executes a decryption process using 

is session key Ks4 in view that an encryption process is 
not performed with a secret symmetric key as a sym- 
metric encryption key in distribution server 30. There- 
fore, license key Kc is directly applied to decryption 
processing unit 1510. 

20 [0226] In astructure where encryption and decryption 
is not effected using secret common key Kcom, memory 
card 11 0 can be used intact. 

[0227] In a distribution process of such a case, con- 
tent key Kc and reproduction circuit restriction informa- 
25 tion AC2 are transmitted and stored without being en- 
crypted with secret common key Kcom. The encryption 
process and corresponding decryption process by se- 
cret common key Kcom are no longer required. The re- 
maining etements are similar to those of the operation 
3Q of the first to third embodiments. 

[0228] By such a structure, a data distribution system 
that enjoys advantages similar to those of the data dis- 
tribution system of the first to third embodiments can be 
developed with a structure that does not effect an en- 
35 cryption process associated with secret common key 
Kcom. 

[0229] The above-described first to third embodi- 
ments may be subject to modifications set forth below. 
[0230] The first to third embodiments had data {Kc// 
to AC2}Kcorn (or data Kc//AC2 in the structure without key 
Kcom as mentioned above) encrypted by public encryp- 
tion key KPm(1), and recorded in license information 
storage unit 1440. However, the second encryption us- 
ing public encryption key KPm(1) is not necessary if 
45 stored in license information hold unit 1440 provided in 
the TRM . Advantages similar to those of the first to third 
embodiments can be provided even if the entire repro- 
duction information is stored in license information hold 
unit 1 440. 1 n th is case , step S 1 48 of Fi g . 8 and step S3 70 
so of Fig. 12 in the first embodiment are to be modified to 
"record the transaction ID, content ID, AC1, {Kc//AC2} 
Kcom in the license information hold unit". Also, step 
S148 of Fig. 1 7 and step S370 of Fig. 20 in the second 
embodiment and step S694 of Fig. 24 in the third em- 
55 bodiment are to be modified similarly to "record the 
transaction ID, content ID, AC1, {Kc//AC2}Kcom in the 
license information hold unit." If a structure without key 
Kcom is to be implemented corresponding to modifica- 
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tions of first to third embodiments, the process is to be 
modified to "record the transaction ID, content ID, AC1 , 
Kc//AC2 in the license information hold unit." 
[0231 ] The data distrib ution system of th e first to third 
embodiments to receive reproduction information distri- $ 
button from the distribution server are described so that 
authentication data {KPm(1)}KPma and {KPp(1)}KPma 
of the memory card and cellular phone (content repro- 
duction circuit} are transmitted to the distribution server 
(step S1 04), and received at the distribution server (step 10 
S106), decrypted using authentication key KPma (step 
S108), and then conducting an authentication process 
with respect to both the memory card and cellular phone 
(content reproduction circuit) according to the decryp- 
tion result. However.-based on the factihat i) the content '5 
reproduction circuit to reproduce music does not neces- 
sarily have to be the cellular phone receiving distribution 
since the memory card is detachable, and ii) in repro- 
duction, an authentication process of authentication da- 
ta {KPm(1 )}KPma of the content reproduction circuit of 20 
the output destination is carried out in providing a portion 
of the reproduction information (license key Kc and re- 
production circuit restriction information AC) from the 
memory card so that the security will not be degraded 
even if an authentication process of authentication data ? s 
{KPm(1 )}KPma of the content reproduction circuit in the 
distribution server does not have to be carried out, a 
structure can be implemented in which the authentica- 
tion process by authentication data {KPm(1)}KPma of 
the content reproduction circuit of the distribution server so 
Is not carried out. 

[0232] In this case, the cellular phone transmits the 
content ID, memory card authentication data {KPm(1)) 
KPma and license purchase condition data AC at step 
S104. The distribution server transmits the content ID, ' 35 
memory card authentication data{KPm(1)}KPma and li- 
cense purchase condition data Ac at step S1 06, and au- 
thentication data {KPm(1 )}KPma is decrypted using au- 
thentication key KPma to accept public encryption key 
KPm(1) at step S108. Then, at step S110, an authenti- 40 
cation process to determine whether public encryption 
key KPm(1) has been output from a proper apparatus 
is conducted by authentication of the authentication 
server based on the decrypted result. The subsequent 
process is to be carried out according to the authentica- *s 
tion result based on authentication data {KPm(1 ))KPma 
of the memory card. There is no change in the repro- 
duction process. 

[0233] In the above description, storage of the distri- 
bution information is effected by a memory card. How- so 
ever, the present invention is not limited to such a case. 
More specifically, the present invention is applicable to 
a more general recording apparatus as long as the func- 
tion of recording and encryption or the like similar to that 
of a memory card as described above is possessed. 55 
Here, the recording apparatus is not limited to a struc- 
ture such as a memory card that is detachable from a 
communication device such as the cellular phone, and 



may be incorporated into a communication device. 
[0234] Although the present invention has been de- 
scribed and illustrated in detail, it is clearly understood 
that the same is by way of illustration and example only 
and is not to be taken by way of limitation, the spirit and 
scope of the present invention being limited only by the 
terms of the appended claims. 



Claims 

1. A memory card (110) to receive and record repro- 
duction information associated with reproduction of 
encrypted content data, including a content key to 
decrypt said encrypted content data into plaintext, 
through a communication path, said memory card 
comprising: 

a data communication unit to establish a com- 
munication path with a transmission source of 
said reproduction information to receive said 
reproduction information transmitted in an en- 
crypted state, 

a first storage unit (1415, 1440) to store data 
associated with said reproduction information 
. applied from said data communication unit, 
an information extraction unit performing a 
process of storing data associated with said re- 
production information from said data commu- 
nication unit into said first storage unit, and ex- 
tracting said reproduction information based on 
data stored in said first storage unit, 
a second storage unit (1460) to record recep- 
tion log information indicating a processing sta- 
tus of a transmission process of said reproduc- 
tion information, and 

a control unit (1420) to control operation of said 
memory card, 

wherein said control unit controls transmis- 
sion of said reception tog information to said trans- 
mission source according to a request. 

2. Thememorycardaccordingtociaim 1, whereinsaid 
data communication unit comprises 

a first key hold unit (1402) storing a first private 
decryption key to decrypt data encrypted by a 
first public encryption key predefined corre- 
sponding to said memory card, 
a first decryption processing unit (1404) to ap- 
ply a decryption process, receiving a first sym- 
metric key updated and transmitted for each 
communication of said reproduction informa- 
tion, and encrypted with saidfirst public encryp- 
tion key, 

a second key hoid unit (141 6) to store a second 
public encryption key differing for each said 
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memory card, 

a key generation unit (1418) generating a sec- 
ond symmetric key updated for each communi- 
cation of said reproduction information, 
a first encryption processing unit (1406) en- s 
crypting said second public encryption key and 
said second symmetric key based on said first 
symmetric key for output, and 
a second decryption processing unit (1412) re- 
ceiving said reproduction information encrypt- '<? 
ed with said second public encryption key and 
further encrypted with said second symmetric 
key to decrypt said reproduction information 
based on said second symmetric key, 
said first storage unit storing data based on an is 
output of said second decryption processing 
unit, 

wherein said information extraction unit com- 
prises 20 

a third key hold unit (1421 ) storing a second pri- 
vate decryption key to decrypt data encrypted 
with said second public encryption key, and 
a third decryption processing unit (1422) carry- 25 
ing out a decryption process for said second pri- 
vate decryption key in a procedure of a process 
of storing data associated with said reproduc- 
tion information into said first storage unit to a 
process of extracting said reproduction infor- 30 
mation. 

The memory card according to claim 2, wherein said 
first storage unit comprises 

35 

a third storage unit (1415) to store first data 
which is a portion of said reproduction informa- 
tion including said content key in an encrypted 
state, and 

a fourth storage unit (1 440) to store second da- 40 
ta excluding said portion of data of said repro- 
duction information in a plaintext state, 

wherein said information extraction unit 
stores in said fourth storage unit said second data 4 s 
from a result of a decryption process on an output 
of said second decryption processing unit by said 
third decryption processing unit, and 

comprises a re-encryption processing unit en- so 
crypting a portion of said result of a decryption 
process on the output of said second decryp- ' 
tion processing unit by said third decryption 
processing unit using said second public en- 
cryption key' to generate said first data to be 55 
stored in said third storage unit. 

The memory card according to claim 3, wherein said 



third storage unit receives and stores said encrypt- 
ed content data that can be decrypted based on 
said content key. 

5. The memory card according to claim 2, wherein said 
information extraction unit stores in said first stor- 
age unit in plaintext a result of a decryption process 
on an output of said second decryption processing 
unit by said third decryption processing unit. 

6. Thememory card according to claim 5, wherein said 
first storage unit comprises 

a third storage unit (1415) to receive and store 
said encrypted content data that can be de- 
crypted based on said content key, and 
a fourth storage unit (1440) to store said repro- 
duction information in plaintext state. 

7. The memory card according to claim 2, wherein said 
memory card further comprises a fifth storage unit 
(1 400) storing authentication data to conduct an au- 
thentication process at a transmission source of 
said reproduction information prior to transmission 
of said reproduction information, 

wherein said reception log information is gen- 
erated at said transmission source at every trans- 
mission of said reproduction information from said 
transmission source when authenticity of said 
memory card is verified in said authentication proc- 
ess, and includes communication identify Informa- 
tion to identify said transmission and said second 
symmetric key. 

8. The memory card according to claim 2, further com- 
prising a fifth storage unit (1400) storing authenti- 
cation data to conduct an authentication process at 
atransmission source of said reproduction informa- 
tion prior to transmission of said reproduction infor- 
mation, 

wherein said reception log information in- 
cludes 

communication identify information generated 
at said communication source at every trans- 
mission of said reproduction information trans- 
mitted from said transmission source when au- 
thenticity of said memory card is verified in said 
authentication process to identify said trans- 
mission, 

status information indicating status of said re- 
production information already received, and 
said second symmetric key, 
said memory card further comprising means for 
generating and providing signature information 
based on at least said status information and 
said second symmetric key. 
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9. The memory card according to claim 8, wherein said 
first encryption processing unit encrypts said recep- 
tion log information and said signature information 
based on said first symmetric key, and 

said memory card transmitting to said trans- 
mission source said reception log information and 
said signature information encrypted individually at 
said first encryption processing unit. 

10. The memory card according to claim 1 .wherein said 
reception log information is erased from said sec- 
ond storage unit every time said content key is 
stored in said first storage unit. 

11. The memory card according to claim 1, wherein said is 
reception log information further includes a recep- 
tion status flag rendered on every time transmission 

of said content key is requested towards said trans- 
mission source, and rendered off every time said 
content key is stored in said first storage unit. 2° 

12. A data distribution system comprising a content da- 
ta supply apparatus to supply encrypted content da- 
ta and reproduction information associated with re- 
production of encrypted content data, including a 25 
content key which is a decryption key to decrypt 
said encrypted content data into plaintext, 

wherein said content data supply apparatus 
(10) comprises 

30 

distribution information hoid unit (304) to store 
said content data and said reproduction infor- 
mation, 

a first interface unit (350) to transfer data with 
an external source, 35 
a first session key generation unit (31 6) gener- 
ating afirst symmetric key updated for each dis- 
tribution of said reproduction information to 
said terminal, 

a session key encryption unit (31 8) encrypting <*o 
said first symmetric key using a first public en- 
cryption key predefined corresponding to a ter- 
minal of said user, and applying the encrypted 
key to said first interface unit, 
a session key decryption unit (320) to decrypt 45 
a second public encryption key and a second 
symmetric key transmitted in an encrypted 
state by said first symmetric key, 
a first license data encryption processing unit 
(326) to encrypt reproduction information to re- so 
produce said encrypted content data using said 
second public encryption key decrypted by said 
session key decryption unit, 
a second license data encryption processing 
unit (328) encrypting an output of said first li- 55 
cense data encryption processing unit with said 
second symmetric key, and applying the en- 
crypted output to said first interface unit for dis- 



tribution, and 

a distribution log information hold unit (306) to 
record distribution iog information indicating a 
processing status during said distribution proc- 



wherein each said terminal comprises 

a second interface unit (1104) to transfer data 
with an external source, and 
a data storage unit (110) receiving and storing 
said encrypted content data and said reproduc- 
tion information, 
said data storage unit including 
a first key hold unit (1402) to store a first private 
decryption key to decrypt data encrypted with 
a first public encryption key predefined corre- 
sponding to said data storage unit, 
a first decryption processing unit (1404) to ap- 
ply a decryption process, receiving a first sym- 
metric key updated and transmitted for each 
communication of said reproduction informa- 
tion, and encrypted with said first public encryp- 
tion key, 

a second key hold unit (141 6) to store a second 
public encryption key differing for each said da- 
ta storage unit, 

a key generation unit (1418) generating a sec- 
ond symmetric key updated for each communi- 
cation of said reproduction information, 
a first encryption processing unit (1406) en- 
crypting said second public encryption key and 
said second symmetric key based on said first 
symmetric key for output, and 
a second decryption processing unit (1412) re- 
ceiving said reproduction information encrypt- 
ed with said second public encryption key and 
further encrypted with said second symmetric 
key to decrypt said reproduction information 
based on said second symmetric key, 
a first storage unit (1415, 1440) to store data 
based on an output of said second decryption 
processing unit, 

a third key hold unit (1 421 ) storing a second pri- 
vate decryption key to decrypt data encrypted 
with said second public encryption key, 
a third decryption processing unit (1422) per- 
forming a decryption process for said second 
private decryption key in a procedure of a proc- 
ess of storing data associated with said repro- 
duction information into said first storage unit 
to a process of extracting said reproduction in- 
formation, 



said distribution system further comprising a 
plurality of terminals (100) corresponding to a 
plurality of users, respectively, to receive distri- 
bution from said content data supply apparatus 
via a communication path, 
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a second storage unit (1460) to record said en- said second symmetric key. 

crypted content data and reception log informa- 
tion indicating a processing status in a distribu- 
tion process of said reproduction information, 
and 5 
a reception controi unit (1420) controlling data 
transfer with an external source, 

wherein said reception control unit controls a 
redistribution process based on said reception log 10 
information when said communication path is cut 
during said distribution process. 

13. The data distribution system according to claim 12, 
wherein said data storage unit is a memory card de- '5 
tachable from said terminal. 

14. The data distribution system according to claim 13, 
wherein said content data supply apparatus further 
comprises 20 

means (132) for verifying authenticity of said 
memory card by authentication data transmit- 
ted from said memory card, prior to distribution 
of said reproduction information, and 25 
means (315) for generating distribution identify 
information to identify a distribution process 
every time a distribution process of said repro- 
duction information is carried out, 
said memory card further comprising a third . 30 
storage unit (1460) storing said authentication 
data, 

said reception log information including com- 
munication identify information to identify said 
transmission and said second symmetric key, 3s 
generated at said transmission source at every 
communication of said reproduction informa- 
tion transmitted from said transmission source 
when authenticity of said memory card is veri- 
fied in said authentication process. 40 

15. The data distribution system according to claim 12, 
wherein said reception log information is erased 
from said second storage unit every time said re- 
production information is stored in said first storage 45 
unit. 

16. The data distribution system according to claim 12, 
wherein said reception log information includes a 
reception status flag rendered on every time distri- Bl > 
bution of said reproduction information is requested 

to said transmission source, and rendered off every 
time said reproduction information is stored in said 
first storage unit. 

55 

17. The data distribution system according to claim 1 2, 
wherein said reception log information includes at 
least said communication identify information and 
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